- Distribution Method : Automatic infection using exploit by visiting website
- MD5 : b637fa22ee9e757fbfc19d2b116f0766
- Major Detection Name : W32/GenKryptik.BAPN!worm (Fortinet)
- Encrypted File Pattern : <Original Filename>.<Original Extension>
- Malicious File Creation Location :
- C:\Users\%UserName%\AppData\Local\READ_ME.txt
- C:\Users\%UserName%\AppData\Roaming\<Random>.com
- C:\Windows\System32\Tasks\<Random>
- C:\Windows\System32\Tasks\<Random>1
- Payment Instrucition File : READ_ME.txt
- Major Characteristics :
- Offline Encryption
- Only run on Korean operating system
- Change the default values of the registry entry "HKEY_CLASSES_ROOT\mscfile\shell\open\command" and disable system restore (wmic shadowcopy delete) using Event Viewer (eventvwr.exe)
- Auto execute payment instrucition file (pcalua.exe -a notepad.exe -c %LocalAppData%\READ_ME.txt) every 15 minutes by adding Task Scheduler entries
- Auto connect MY DECRYPTOR site (pcalua.exe -a http://<URL>) every a hour by adding Task Scheduler entries
List